I've launched a new security startup company called Luta Security, named for the island in the Northern Marianas where my mother was born. We specialize in the deep business management of vulnerability disclosure programs and bug bounty programs for governments and complex organizations.After launching Microsoft's and the US Department of Defense's first bug bounty programs, the industry's first vulnerability coordination maturity model, and helping many others realize the benefits of working with hackers, I'm ready to help even more people and governments worldwide in policy, vulnerability coordination, and bug bounties.

As Chief Policy Officer of HackerOne, I oversee the company's philosophy and approach to vulnerability disclosure, advise customers and researchers, and work toward the public good to legitimize and promote security research to help make the Internet safer for everyone.

I ran the Security Community Outreach and Strategy team for Microsoft as part of the Microsoft Security Response Center (MSRC) team to help drive crucial elements of our security community strategy effort. • I created the first Microsoft security bounty programs (www.microsoft.com/bountyprograms). We paid over $253,000 and received 18 vulnerabilities and new attack techniques to help us build stronger defenses that will protect the entire platform from this new class of attack. • Serve as lead subject matter expert in the US National Body for the ISO work item 29147 "Vulnerability Disclosure", published in 2014. • I am the editor of a new International Standard ISO 30111 Vulnerability handling processes, published in 2014, which outlines the steps vendors need to take in order to investigate, triage, and remediate vulnerabilities in products of online services.• Owner of vulnerability disclosure policy for Microsoft in terms of overall strategy, evolution, policy creation, messaging, and I serve as the external spokesperson for all disclosure-related matters for Microsoft. • Drove an industry-wide shift in disclosure terminology and practice, winning the support of dozens of researchers, vendors, CERTs and other industry notables in the process. http://blogs.technet.com/b/ecostrat/archive/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force.aspx• Drove a new reward for defensive security research incentives with the BlueHat Prize (www.bluehatprize.com), which paid over $260,000 to security researchers to design novel defensive mitigation technology.• Seasoned security spokesperson with nearly a decade of corporate spokesperson experience. I have appeared on the Engadget show, in numerous print media, as well as done audio and video podcasting. Media outlets I have been quoted in include BBC, Reuters, ComputerWorld, ComputerWeekly, ThreatPost, Ars Technica, Dark Reading, ZDNet, eWeek, Engadget, and others.

I have joined the Security Development Lifecycle (SDL) team to help drive crucial elements of our SDL outreach effort. My primary responsibility is managing our relationships with security consulting and training partners in the SDL Pro Network. I am additionally tasked with ongoing analysis of the SDL – with a goal of assisting industry verticals that are looking to apply the SDL in critical computing scenarios. I continue to serve as lead subject matter expert in the US National Body for the ISO work item 29147 "Responsible Vulnerability Disclosure".

At Microsoft, I have created and lead several new programs that expand the mission and capabilities of the Microsoft Security Response Center, including but not limited to: • Defend The Flag (DTF) training program: Trains IT Professionals on the basics of attack and Windows defense • Microsoft Vulnerability Research (MSVR): Formalizes Microsoft’s Responsible Disclosure of third-party vulnerabilities and establishes our role in protecting customers at the platform level. • Acted as subject matter expert on Responsible Disclosure and CVSS on behalf of Microsoft. • Established a role as a Trusted Advisor and cross-group liaison both within Microsoft and externally with researchers, partners, and customers. • Leveraged technical security background and consulting skills to bring true risk assessment to the Ecosystem Strategy Team.

I continue to provide Application Security Assessments, penetration testing, architecture and code reviews, and business development for Symantec Professional Services.I also developed and oversee the Symantec Vulnerability Research Program:http://www.symantec.com/research

I joined the company formerly known as @stake, prior to its purchase by Symantec, as a Senior Security Architect specializing in application security. I have performed application penetration testing, software design and code reviews, while developing long term strategic partnerships with our clients.

• Conducted web application, network and product penetration testing.• Conducted other security assessments such as application architecture reviews, source code audits, secure host builds, social engineering, etc. • Served as technical lead for large, complex engagements for Fortune 100 companies. • Mentored other consultants in career and technical development areas.

Performed independent security consulting for clients throughout the San Francisco Bay Area. Industries in which I performed security consulting services include finance, health care, online commerce, networking technology, and software design.

• Developed automated test suites for Intrusion Detection Software.• Developed client-server simulated exploitation using Hailstorm 1.0’ Fault Injection Testing, including entire TCP-IP handshake.

• Developed the first Security Response Program at TurboLinux.• Began customer security update mailing lists, and established the first security advisory release and proactive security information concerning upcoming updates to the bugtraq mailing list.• Evaluated TurboLinux operating system’s exposure to emerging security threats and vulnerabilities and responded accordingly.• Rolled patches into rpm packages and updated security download center for customers.

• Managed IT for the Department of Aeronautics and Astronautics.• Developed IT budget and infrastructure for support of current and future Aero-Astro Teaching Lab.• Responded to security incidents concerning the Department of Aeronautics and Astronautics.

• Managed heterogeneous environment of Windows, Mac, and UNIX systems for the Whitehead Institute for Biomedical Research Genome Center at MIT (now known as the Broad Institute).• Maintained patch levels, designed and implemented network backup system, and performed disaster recovery and routine maintenance of all systems.• Contributed to design of new gene sequencing facility’s IT infrastructure.

• Part of one of the first bioinformatics teams worldwide.• Managed data analysis of all genotyping projects at the Whitehead Institute for Biomedical Research Genome Center at MIT.